CCPA Security FAQs: Once a data breach is reported to the state of California, is it posted to a website?

August 27, 2019

Yes.

The Office of the Attorney General publicly posts each data breach that is reported to its office on the following website: https://oag.ca.gov/privacy/databreach/list. Among other things, the attorney general includes the following information about each breach:

  • The date that the data breach occurred;
  • The date that the breach was reported to the Office of the Attorney General;
  • The type of information impacted by the breach;
  • A description of the factual situation that caused the breach; and
  • A description of the actions taken by the impacted company.

The information provided by the Office of the Attorney General is sortable, searchable, and can be downloaded by website visitors.  In light of the statutory damages referenced within Section 1798.150 of the CCPA, BCLP anticipates that beginning on January 1, 2020, plaintiffs’ attorneys will use the information posted by the Office of the Attorney General as a roadmap for identifying potential data breach class action defendants.


This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.